General Considerations

  • In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.
  • Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

Email is not secure

  • In general, email communication is not secure for two reasons:
    • The data isn’t encrypted by default.
    • It’s impossible to tell if the receiver is the intended recipient.
  • Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.
  • By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo.
  • Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.
  • Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

  • Encrypt everything
  • Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.
  • Personal and special personal information must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.
  • The person conducting the transmission is the liable party. As a data subject or an operator (in terms of POPI), a replying patient isn’t bound by POPI. You are only responsible for your emails’ security.
  • While POPI does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.
  • It isn’t necessary to use a dedicated service to send POPI compliant emails. These services work, but with some added expense.
  • Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.
  • If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

  • Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.
  • On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.
  • I recommend having your attorney evaluate a consent form before you send it to your patients.
  • Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.
  • When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.
  • If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

  • Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.
  • The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.
  • If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.
  • That said, email disclaimers are not a substitute for properly encrypted emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs an Operator Agreement

  • An Operator Agreement is a POPI requirement for email providers. If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

  • It’s important to have a clearly defined policy for your staff or colleagues regarding the protection of personal and special personal information. A casual discussion isn’t enough. You need procedures.
  • In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of personal and special personal information (mental health issues, for instance) to in-person meetings only.
  • Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.
  • Make sure your emails are compliant by using our checklist. Subscribe to download this resource.

Related Documents

  • Form PMP028_Guidelines for Use of Emails by Employees
  • Form PMP031_Patient Consent for E-mail_sms Communication
  • Form PMP033_Consent to Use Electronic Communication

Still unsure? Feel free to contact us.